PT-2013-3860 · Light Feed · Leed

Published

2013-12-23

Updated

2014-01-14

CVE-2013-2629

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Leed (Light Feed) versions prior to 1.5 Stable

Description The issue allows remote attackers to bypass authorization. This can be achieved via vectors related to the (1) importForm, (2) importFeed, (3) addFavorite, or (4) removeFavorite actions in the "action.php" endpoint.

Recommendations For versions prior to 1.5 Stable, update to version 1.5 Stable or later to resolve the issue. As a temporary workaround, consider restricting access to the "action.php" endpoint to minimize the risk of exploitation. Avoid using the importForm, importFeed, addFavorite, and removeFavorite actions in the "action.php" endpoint until the issue is resolved.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2013-2629

Affected Products

Leed

PT-2013-3860 · Light Feed · Leed

CVE-2013-2629

Weakness Enumeration

Related Identifiers

Affected Products

References · 3